Cross Site Scripting Vulnerabilities

This site intends to show how many sites on the internet are completely vulnerable to a two year old security problem. They refuse to fix the problem, while still bragging about how secure their information is. Well, it's not. Here's why.

Background info:
- CERT : Advisory on Cross Site Scripting.
- CERT : How to fix it. This site in the News:
- : An Oldie but Goodie: The Cross-Site Scripting Vulnerability
- Vnunet : Top sites vulnerable to hackers
- MSNBC : Citibank payment service said flawed
- eWeek : Flaw Leaves Online Citibank Customers Vulnerable
- InformationWeek : Security Researcher Says Citibank Took A While To 'C2' Security Flaw
- E-Commerce Times : E-Commerce Sites Fail Security 101
- : Citibank payment system flaw
- NewsBytes:Net Users Warned To Beware Sites With Scripting Holes
- : Is your site secure?

I've also added banking sites with insecure logins. These sites are vulnerable even easier, man in the middle active attacks. Banks unfortunately ignore these easy attacks, focusing on harder attacks involving cracking encryption or breaking firewalls. These insecure login forms were never secured or encrypted, so they can be modified in transit to the user and rewritten to redirect logins to another site to capture login data. Banks should immediately redirect customers to secure sites to insure the accuracy of pages. Users should not use or trust any bank webpage that does not start with https.

Many sites rush their product out the door with out necessary security precautions.  In this day and age, no web site with customer data to protect should go live with out and complete review of existing security alerts from sites like CERT.   In addition, when running a site, if the site operator receives specific information on security holes, they should act immediately to protect the problem.  Many sites have failed to do this.  Many crackers know this and will use these holes if they are not fixed.  A few of these holes in Hotmail have been publicized, but other then that, many site's holes have gone unfixed.

[ List of sites with Cross Site Scripting Security Holes & other security problems  ]

In the interest of safety we are starting a public list of active security holes on live sites.  We suggest that you turn off javascript, and keep it off,  if you don't want your data left open when you visit various websites. For home users: Here are some tips for making your computer more secure.

[ Thanks for all your donations.. I should be able to keep this going for a while now ]
Just a quick sponsor message

Buddy Icons

Aim Expressions and Buddy Icons for aim! Get them while their are hot! I have lots of neat buddy icons from here, and they are all secure!